Self-Test System

ABSTRACT

An electronic system comprising a system to be monitored ( 2 ) and a plurality of fault-monitoring systems ( 4, 6 ) each of which is adapted to output a fault signal when an input indicates that the electronic system is in a fault condition associated with the fault-monitoring system. The fault-monitoring systems are arranged in a cascade fashion such that a fault signal output from one fault-monitoring system ( 4 ) is provided as an input to a subsequent fault-monitoring system ( 6 ) in the cascade of fault-monitoring systems to simulate a fault condition associated with the subsequent fault-monitoring system. The output of the final fault-monitoring system in the cascade gives an indication of whether there is a fault with any of the fault-monitoring systems.

This invention relates to a self-test process and apparatus that hasinherent self-testing capabilities, for use with control system, inparticular but not exclusively for use in vehicles.

Electronic systems that are used in systems where a failure may haveserious consequences need various fault monitoring systems to ensuresuch faults are detected and suitable corrective action taken. Many suchfault monitoring systems are known (for example a comparator can be usedto compare a supply voltage with a fixed reference voltage, generatingan error whenever the supply voltage is under (or over) the reference).Given that failures are a rare event, it is possible for faults todevelop in the fault monitoring systems before the faults they aredesigned to detect occur. If these faults go undetected, it is thenpossible that when a more serious fault occurs (one that the faultmonitoring system was designed to detect) this will go undetected withserious consequences.

Based on the foregoing there is clearly a need for a way of monitoringthe fault-monitoring systems themselves.

The invention will now be described, by way of example only, withreference to the accompanying drawings, in which like reference numeralsrefer to similar elements and in which:

FIG. 1 shows a functional diagram of components of an electronic systemincorporating a first embodiment of a self-test system; and

FIG. 2 is a circuit diagram illustrating the an embodiment of theself-test system of FIG. 1;

FIG. 3 shows a functional diagram of components of an electronic systemincorporating a second embodiment of a self-test system; and

FIG. 4 is a flow diagram illustrating the operation of the self-testsystem of FIG. 3.

A method and apparatus for self-testing an electronic system isdescribed. In the following description, for the purposes ofexplanation, numerous specific details are set forth to provide athorough understanding of the present invention. It will be apparent toa person skilled in the art that the present invention may be practisedwithout these specific details. In other instance, well-known structuresand devices are shown in block diagram form to avoid unnecessarilyobscuring the present invention.

The needs identified above and other needs and objects that will becomeapparent from the following description are achieved in the presentinvention which comprises, in one aspect, an electronic systemcomprising a system to be monitored and a plurality of fault-monitoringsystems. Each of the fault-monitoring systems is adapted to output afault signal when an input indicates that the electronic system is in afault condition associated with the fault-monitoring system. Thefault-monitoring systems are arranged in a cascade fashion such that afault signal output from one fault-monitoring system is provided as aninput to a subsequent fault-monitoring system in the cascade offault-monitoring systems to simulate a fault condition associated withthe subsequent fault-monitoring system. The output of the finalfault-monitoring system in the cascade gives an indication of whetherthere is a fault with any of the fault-monitoring systems. Alternativelythe outputs of each of the individual fault-monitoring systems may bemonitored to indicate whether there is a fault with any of thefault-monitoring systems.

In other aspects, the invention encompasses a method and acomputer-readable medium for carrying out the foregoing steps.

The electronic system to be described is part of the electronic systemused in a vehicle such as a car but the method is applicable to otherelectronic systems which include fault-monitoring systems.

FIG. 1 shows an embodiment of a self-testing fault monitoring system.The electronic system incorporates the system to be monitored 2 (whichwill typically contain a microprocessor), a first fault detection device4 (which may for example take the form of a watchdog for the processor)and a second (and in this case final) fault detection device 6 (whichmay for example take the form of a voltage level detector, monitoringthe power rails of the processor). A system 8 provides the requiredaction on detection of a fault (for example to switch off the system 2)and non-volatile memory 10 allows storage of a record of the success orfailure of the self testing process.

In either of the above fault detection situations, the fault actionsystem 8 is activated either directly, via fault-monitoring system 6, orindirectly, by fault-monitoring system 4 simulating a fault in monitor 6which then causes the action.

The fault-monitoring systems 4, 6 are designed to monitor for faultconditions. However the electronic system in which these components areimplemented has no way of knowing whether the fault condition detectorsare operating properly or not. The embodiment shown in the figuresallows an electronic system to monitor the fault-monitoring systems.Preferably, a self-test is carried out each time the system is shutdown.

Thus when the electronic system is to be shut down, the system 2 beingmonitored changes its function so as to cause fault detector 4 to detecta fault. If the fault detector circuit 4 is operating properly, then itwill generate an output which will cause fault detector 6 to see afault. A record of this event is stored in the non-volatile memory 10,as well as causing the fault response activator 8 to carry out aresponse to a fault condition (typically to shut down the system 2).When the system 2 next receives a signal to start up, it checks for therecord in the non-volatile memory. If, on start up, such a record is notin the non-volatile memory then the system 2 registers that thefault-monitoring systems did not function correctly and therefore one ofthe fault-monitoring systems 4,6 is faulty. The system then takes theappropriate action e.g. shutting itself down after generating anappropriate fault message. If the system 2 determines that the test ofthe fault detectors was successful, then the record in the non-volatilememory is cleared, ready for the next self-test.

In a further aspect of the invention a partial self-test is also carriedout on start up. On switch on, the supply voltage V_(supp) ramps up tothe required level. Therefore a self-test of an under-voltage detector(e.g. fault-monitoring system 6) may also be carried out on start up totest whether the under-voltage detector 6 is correctly detecting anunder-voltage situation. Thus, on starting operation of the system, astart-up monitor 12 can check that the under voltage fault-monitoringsystem 6 initially detects a fault (when the supply voltage is low) andthen detects no fault (when the supply in within specification). Thisfault-monitoring system can inform the electronic system being monitored2 of its result, and/or active the fault-response activator 8, and/orstore a record in the non-volatile memory 10.

FIG. 2 shows an embodiment of the fault detection system, comprisingunder- and over-voltage detectors for two power supply lines (5V and2.6V). The actual detection of under/over voltage is performed by the 4comparators (30, 32, 34, 36). A signal A indicates an input to the firstfault-monitoring device comprising comparators 30, 32. Transistor T1allows the system to induce a fault into the first comparator 30 whichvia T2 induces a fault in the second comparator 32. The fault signal Boutput from the comparator 32 then induces a fault in the nextfault-monitoring device comprising comparators 34, 36. Thus fault signalB output from the comparator 32 induces a fault in the next comparator34 via D1 and in turn comparator 34 induces a fault in the lastcomparator 36 via D2. The fault signal C output from the secondfault-monitoring system (comprising comparators 34, 36) is then used totrigger the fault response activator 8.

In an implementation as shown in this first embodiment described withreference to FIGS. 1 and 2, there are two fault-monitoring devices: atthe beginning of the cascade of fault-monitoring devices there is awatchdog system 4 (or similar) connected to a microprocessor, while atthe far end of the cascade a fault output signal from the second faultmonitoring system 6 turns the system off (or resets the microprocessor).

In a further development, when the electronic system is placed into afault condition for which the first fault-monitoring device ismonitoring, a flag or value (e.g. 1) is stored in the non-volatilememory 10. If the microprocessor of the electronic system 2 is stillrunning after a given period of time (i.e. the microprocessor has notshut down), then the cascade is triggered. The processor then writes adifferent value (e.g. 2) to the non-volatile memory 10 and switches off.On start up, by examining the non-volatile memory, the reason for thestop can be found. The value should be erased after reading so that areal fault can be distinguished from a “test” fault.

Although FIGS. 1 and 2 show embodiments in which only two faultmonitoring systems (4 and 6) are provided, it will be apparent thatthere further fault-monitoring systems may be provided. In this case,the output of a first fault-monitoring system may be provided as theinput to a second, the output of the second may be input to a third, andso on.

FIG. 3 shows a second embodiment of a self test system. The electronicsystem incorporates a system to be monitored 2 (typically including atleast one processor), a first fault-monitoring device in the form of avoltage level detector 4 and a second fault-monitoring device in theform of a watchdog circuit 6. A second processor 8 may also be providedto monitor the operation of the first processor 2. Non-volatile memory10 may be provided to store fault history records.

The voltage level detector 4 includes an op-amp, a first (non-inverting)input of which is connected to the supply voltage V_(supp) and thesecond, inverting, input of which is connected to a reference voltageV_(ref). In use, the supply voltage of the electronic system is likelyto change. For instance, when the electronic system is powered up, thevoltage will increase from nominally 0V to a voltage in the region ofthat required by the electronic system e.g. 3V. During this ramp-upstage, the voltage may overshoot the required supply voltage. Thisresults in a so-called over-voltage situation. As this over-voltage mayresult from some fault with the power supply of the electronic system,this is deemed to be a fault situation.

When the magnitude of the supply voltage is greater than the magnitudeof the reference voltage, the op-amp produces an output signal and hencethe voltage level detector 4 outputs a fault signal.

The watchdog circuit 6 receives as an input a signal from the processor2 to indicate that the processor is operating correctly. In normalconditions, the signal is output from the processor 2 in a periodicmanner. If the watchdog circuit does not receive the signal when it isexpecting a signal, the processor is determined to be in an abnormalstate and the watchdog circuit 6 outputs a fault signal in the form of areset signal.

In either of these fault detection situations, the processor is reseti.e. the operation of the processor is stopped and re-started.

The level detector 4 and the watchdog circuit 6 are designed to monitorfor fault conditions. However the electronic system in which thesecomponents are implemented has no way of knowing whether the faultcondition detectors are operating properly or not. Thus, a self-test iscarried out each time the microprocessor is shut down, either because ofa reset or because the associated system has been turned off.

Thus, according to a first aspect, when the electronic system is to beshut down, the processor monitors for the detection of an over voltagecondition. If the level detector circuit 4 is operating properly, thenthe level detector circuit 4 should output an over voltage reset signalon shut down. Thus, when the system, in particular the processor of theelectronic system, is shut down, the processor monitors for an overvoltage signal at the output from the level detector 4. When an overvoltage current occurs on stopping of the operation of the processor 2,a record to this effect is stored in non-volatile memory 10. When theprocessor 2 next receives a signal to start up, the processor looks forthe record in the non-volatile memory. If, on start up, such a record isnot in the non-volatile memory then the processor 2 registers that theover voltage monitoring circuit 4 has not detected the over voltagesituation on shut down and that therefore the over voltage detectiondevice 4 is faulty. The processor then takes the appropriate action e.g.shutting itself down after generating an appropriate fault message. Therecord in the non-volatile memory is preferably cleared when this faultmessage is generated.

An additional or alternative self test may be carried out. This relatesto the self testing of the watchdog circuit 6. This self test is doneautomatically on shut down of the processor 2. When a signal is sent tothe processor to cease operation, the processor in response ceasessending the periodic signal to the watchdog circuit 6. The watchdogcircuit 6 then detects that it is not receiving the usual periodicsignals from the microprocessor 2 and thus generates a reset signal.This is received by the processor 2 and a record of this reset signal isstored in the non-volatile memory 10. The processor 2 then shuts down.

On subsequent commencement of operation of the processor 2, theprocessor carries out a check to see if the non-volatile memory 10includes a record of the reset signal generated by the watchdog device6. When the non-volatile memory does not include such a record, a faultmessage is then generated and the processor shut down.

Preferably a self test is carried out on shut-down for both the leveldetector 4 and the watchdog circuit 6. The watchdog self-test may becarried out first, by ceasing the periodic signal from the processor 2to the watchdog circuit 6, and monitoring for a fault signal from thewatchdog circuit. This may then be followed by the level detectorself-test.

A self-test may also be carried out on start up. As explained above, thesupply voltage V_(supp) ramps up to the required level on start up.Therefore a self-test of the level detector 4 is also carried out onstart up to test that the level detector 4 is correctly monitoring anunder-voltage situation. Thus on starting operation of the processor,the self-test routing monitors for the generation of a fault signal fromthe level detector 4. On generation of a fault signal from thefault-monitoring device on starting of the operation of the processor, arecord to this effect is stored in the non-volatile memory 10. Onsubsequent receipt of a message to stop operation of the processor, theprocessor checks whether the non-volatile memory 10 includes a record ofa fault signal and when the non-volatile memory does not include arecord of such a fault signal, an alarm signal is generated.

FIG. 4 is a flow diagram showing the operation of the self test program.This routine is run on start up or shut down (e.g. when the ignition ofa vehicle is started or on or after a reset or any other reason). In thefirst step (401) the processor receives a command to enter a faultcondition for a first fault-monitoring system e.g. to switch off theprocessor 2. This may be due to a reset from the watch dog applicationor the voltage detector (or another fault detection device). Theprocessor then enters the fault condition (402) e.g. the processorinitiates cessation of operation, which is intended to generate a faultcondition.

The system then runs the self test routine as discussed above i.e.monitors (403) to see whether the watch dog application outputs a faultflag and/or whether the voltage detector outputs the fault flag. If afault signal is output from the fault-monitoring device, then a recordof the fault signal is stored (404) in non-volatile memory. In eithercase, the processor then shuts down all operations (405).

On subsequent reversion (406) of the system into a non-fault conditione.g. start-up of the processor (406) (either as a result of a resetsignal or because the system is powered up by a user), the processorchecks (407) whether a record is stored in the non-volatile memory forthe self-test that was carried out on shut-down. If no such record ispresent in the non-volatile memory, then an alarm signal is generated(408). This alarm signal or message indicates that the associated faultdetection component is not operating properly. In response, theprocessor would usually shut down until the fault is cleared. However ifthe non-volatile memory does include a record for the associated faultdetection component, the electronic system can continue to operate asnormal (409).

If an under-voltage self-test is also to be carried out, the processormay, before step 409, check for the existence of a record indicatingthat the level detector 4 detected an under-voltage situation on theprevious start-up of the processor. If no such record is detected, analarm signal may be generated (408). Alternatively the processor may runanother sub-routine after step 409 in which the processor shuts itselfdown and starts itself up again to run the under-voltage routine. Thisadditional stop/start routine will result in a small delay in startingof the processor for normal operation but is unlikely to be noticeableto a user.

The invention thus aims to reduce the risk of a fault in afault-monitoring system from going undetected by testing the faultmonitoring systems. Preferably the fault monitoring systems are testedevery time the monitored system is shutdown and restarted (e.g. in thecase of a vehicle such as a car this will happen before and after everyjourney).

In the foregoing specification, the invention has been described withreference to specific embodiments thereof. It will however be evidentthat various modifications and changes may be made thereto withoutdeparting from the broader spirit and scope of the invention. Thedescription and drawings are, accordingly, to be regarded in anillustrative rather than a restrictive sense.

1-18. (canceled)
 19. An electronic system comprising at least onefault-monitoring system, the electronic system being arranged to: placethe electronic system into a first fault condition and monitor for ageneration of a first fault signal from a first fault-monitoring device,on the generation of a first fault signal from the firstfault-monitoring device after placing the electronic system into a firstfault condition, store a record to this effect in non-volatile memory,on subsequent reversion of the electronic system to a non-faultcondition, check whether the non-volatile memory includes a record of afirst fault signal and when the non-volatile memory does not include arecord of such a first fault signal on subsequent reversion, generate analarm signal.
 20. An electronic system according to claim 19 wherein:placing of the electronic system into a first fault condition comprisesstopping operation of a processor; and subsequent reversion of theelectronic system to a non-fault condition comprises subsequentcommencement of operation of the processor.
 21. An electronic systemaccording to claim 19 wherein the fault monitoring device comprises avoltage detector which generates a fault signal when an over-voltageoccurs.
 22. An electronic system according to claim 19 wherein thefault-monitoring device comprises a device for monitoring the operationof a processor and generating a fault signal when a fault with theoperation of the processor is detected.
 23. An electronic systemaccording to any of claims 19 further arranged to clear the non-volatilememory of the record once it has been determined whether or not thenon-volatile memory includes a record of a fault signal.
 24. Anelectronic system according to any of claims 19 further comprising aplurality of fault-monitoring systems, a fault signal output of a firstfault-monitoring system being provided as an input to a secondfault-monitoring system, such that an input to the secondfault-monitoring system simulates a second fault condition.
 25. Anelectronic system according to claim 24 wherein the output of a finalfault-monitoring system is used as an indicator of an overall fault inone of the fault-monitoring systems.
 26. A self-test method for anelectronic system, the method comprising: placing the electronic systeminto a first fault condition and monitoring for a generation of a firstfault signal from a fault-monitoring device, on the generation of afirst fault signal from the fault-monitoring device after placing theelectronic system into a first fault condition, storing a record to thiseffect in non-volatile memory, on subsequent reversion of the electronicsystem to a non-fault condition, checking whether the non-volatilememory includes a record of a first fault signal and when thenon-volatile memory does not include a record of such a first faultsignal on subsequent commencement, generating an alarm signal.
 27. Aself-test method according to claim 26 wherein the electronic systemincludes a processor, wherein: the placing of the electronic system intoa first fault condition comprises stopping operation of the processor;and subsequent reversion of the electronic system to a non-faultcondition comprises subsequent commencement of operation of theprocessor.
 28. A self-test method according to claim 26 wherein theelectronic system includes a processor, wherein: the placing of theelectronic system into a first fault condition comprises startingoperation of the processor; and subsequent reversion of the electronicsystem to a non-fault condition comprises subsequent cessation ofoperation of the processor.
 29. A self-test method according to claim 28wherein the fault-monitoring device comprises a voltage detector whichgenerates a fault signal when an over-voltage occurs.
 30. A self-testmethod according to claim 28 wherein the fault-monitoring devicecomprises a device for monitoring the operation of a processor andgenerating a fault signal on detection of a fault with the operation ofthe processor.
 31. A self-test method according to claim 28 furthercomprising clearing the non-volatile memory of the record once it hasbeen determined whether or not the non-volatile memory includes arecord.